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INTEGRITY  IN  ELECTRONIC  FLIGHT  CONTROL  SYSTEMS 


P.  R.  KURZHALS  and  R.  ONKEN 


ABSTRACT 


With  the  increased  use  of  electronic  flight-control  systems  for  better  aircraft  performance 
and  cost-effectiveness,  development  and  test  techniques  which  can  insure  the  integrity  of 
such  systems  have  become  critically  important.  Rapid  advances  in  solid-state  electronics 
have  permitted  a  hundred-fold  decrease  in  control  computer  size,  power  and  cost  over  the 
past  two  decades.  Designers  have  capitalized  on  these  gains  primarily  by  incorporating 
additional  control  functions  to  improve  aircraft  capabilities.  Resulting  control  systems 
have  become  very  complex  and  reliability  requirements  have  mushroomed.  This  paper 
summarizes  the  evolution  of  these  requirements,  outlines  the  current  status  of  flight 
control  reliability,  and  highlights  promising  methods  of  achieving  integrity  in  future 
flight  control  systems. 


INTRODUCTION 

While  reliable  control  of  the  flight  path  has  been  man's  primary  concern  since  the  concep¬ 
tion  of  the  airplane,  modern  flight  control  really  came  into  its  own  with  the  automatic 
flight  control  systems  introduced  after  World  War  II.  With  the  advent  of  the  jet  engine 
and  the  attendant  extension  of  the  flight  envelope  and  airplane  configuration,  designers 
increasingly  turned  to  the  control  engineer  for  help  in  the  solution  of  the  multitude  of 
problems  brought  on  by  this  new  phase  of  flight.^ 

Beginning  with  the  early  all-electric  autopilots  and  the  first  demonstration  of  automatic 
flight,  resultant  control  advances,  led  by  electronic  technology  gains,  have  revolutionized 
flight  control  functions  and  mechanizations  over  the  past  three  decades.  Replacement  of 
mechanical  linkages  by  computer  modules,  and  the  subsequent  miniaturization  of  these  modules, 
have  provided  the  potential  for  control  systems  volume  and  weight  reductions  of  nearly  two 
orders  of  magnitude.  Figure  1  shows  the  impact  of  these  electronic  advances  for  a  repre¬ 
sentative  autopilot  subassembly . 2  A  typical  195a  subsystem  with  about  950  cubic  centimeters 
of  circuit  cards  could  -  in  1968  -  be  produced  as  two  microelectronic  modules  having  a 
volume  of  less  than  50  cubic  centimeters.  By  1973,  hybrid  design  concepts  reduced  the 
volume  of  these  modules  to  less  than  10  cubic  centimeters.  In  practice,  much  of  this 
potential  has  been  used  to  add  new  flight  control  system  functions  aimed  at  further 
improving  aircraft  performance. 

As  a  result,  flight  control  applications  have  evolved  from  simple  pilot-relief  autopilots 
to  flight-critical  and  redundant  fly-by-wire  and  active  control  systems.  To  assure  the 
integrity  of  these  systems,  more  hardware  had  to  be  added  to  achieve  the  reliability 
needed  for  flight  safety.  Figure  2  illustrated  this  evolution  in  complexity.^  Early 
added  control  system  functions,  such  as  command  augmentation,  could  be  accommodated  with 
a  single,  non-redundant  channel.  As  new  functions  were  adopted  and  the  pilot  became  more 
dependent  on  these  functions,  in-line  monitors  were  included  to  check  the  system  integrity. 
For  flight-critical  implementations  which  required  accommodation  of  inflight  failures, 
additional  levels  of  redundancy  were  incorporated  to  provide  fail-safe  and  fail-operative 
performance.  Redundancy  management  electronics  which  provided  the  circuitry  for  accuracy 
enhancement,  fault  isolation,  fault  reporting  and  built-in  test  rapidly  became  the  dominant 
part  of  the  system.  The  related  growth  in  complexity  has  led  to  a  twenty-fold  increase 
in  the  number  of  system  elements.  Flight  control  system  reliability  requirements  have 
increased  at  an  even  faster  pace  and  are  now  comparable  to  those  for  the  primary  structure. 
As  represented  in  Figure  3  by  the  probability  of  computer  systems  failure  for  a  10  hour 
flight  period,  this  increase  spans  some  six  orders  of  magnitude  over  the  past  20  years. 
Failure  probabilities  of  less  then  10“®  per  flight  hour,  projected  for  the  flight-critical 
control  systems  of  the  next  generation  of  aircraft,  thus  present  a  major  and  relatively 
unexplored  challenge  to  the  flight  control  system  designer. 


CURRENT  STATUS 

The  current  status  of  flight  control  systems  reliability  can  best  be  assessed  by  reviewing 
the  performance  of  state-of-the-art  avionics  hardware  through  the  analysis  of  a  quantifiable 
parameter  such  as  MTBF  (Mean  Time  Between  Failures) .  One  such  study^  assessed  some  98 
different  types  of  avionics  equipment.  Over  1.2  million  aircraft  failures  observed  during 
more  than  a  million  flight  hours  were  included  in  the  analysis.  Avionics  subsystems  were 
found  to  be  involved  in  more  aircraft  failures  than  any  other  aircraft  subsvstem,  with 
the  proportion  of  avionics  failures  to  total  failures  ranging  from  27%  for  helicopters  to 
52%  for  supersonic  fighters.  Avionics  subsystems  were  found  to  experience  one  failure 
every  2.8  flight  hours,  on  average.  As  shown  in  Figure  4,  only  45%  of  the  failures  studied 
were  traceable  to  specific  hardware  and  software  causes.  The  remaining  55%  were  classified 
either  as  hardware  failures  with  unknown  causes  (26%)  or  as  an  anomaly  (29%)  ,  defined  as 
any  failure  which  could  not  be  verified  in  maintenance  checkout.  For  equipment  procured 
under  contracts  which  included  an  MTBF  specification  as  part  of  the  over-all  design  crite¬ 
ria,  less  than  25%  of  the  specified  MTBF  was  actually  achieved  in  the  field.  Even  so. 


Mriif  ;i  wt'ic  fiiwhoi  l^y  of  1.4  in  «*i|iiipmt‘nt  proouroil  iinilt*r  oontraot.s  oon  t  a  i  n  i  n.| 

•in  MTliK  spool  f  ii-at  ton  t  h.in  in  oqiiipmont  proourod  with  no  MThK  spoc  i  f  io.it  t  on . 

Tho  diftioultios  in  aohiovina  spootfiod  i  oV  i  .abi  I  1 1  y  standards,  and  in  diaanosina  tailiiios 
in  modoin  avionios  o.|uipniont,  lunioisooro  tho  nood  tor  roliablo  dosian  oono.-pt  s  and  mot  hods 
foi  tutni.'  airor.itt  tliat't  oontn'l  systtans. 


nu;ii-Ki:i,iAnn.ri'Y  Ai'i’itoAdiif  S 

Miah-intoarity  fliaht  oontrol  systoms  must  achiovo  roauiroil  roliability  standards  whil.> 
m.iintainina  an  appropriato  balanoo  aimma  tho  oomp.'t  ina  factors  of  cost  ,  sohodulina,  and 
porform.inoo.  Thus,  ro  1  i  .il>  i  1  i  t  y  shcaild  bo  an  inht>n'nt  oliaiiont  of  tho  total  do.sian  .ipproaoh, 
with  rosponsil'i  1  ity  for  att.iinina  ostal'lishod  roliability  aoals  assianod  (and  acooptod) 
oarly  in  tho  oonooptual  st.uios  of  dosian.  ny  addrossina  tho  ipiost  ion  of  hiah  systom 
roliability  throuahont  tho  dosian  process,  many  rosourcos  (both  dollars  and  hoursi  can  bo 
saved  which  would  otherwise  have  to  bo  devoted  to  a f t or- t ho- fact  dosian  alterations.  Tho 
fail-and-fix  approach  to  system  r*' 1  iah  i  1  i  t  y  ,  inhorontly  iiiotficiont  in  aonoral,  is  partic¬ 
ularly  inofti'Ctivo  in  oliminatina  those  dosian  problems  which  n-sult  in  relatively  intro- 
auont  f.iilnros.  This  is  especially  relevant  for  future  complex  avionics  .ind  fliaht  cont  rol 
mochan i ihit ions ,  which  are  characterized  by  thousands  of  potential  failure  modes,  none  of 
which  may  rope, it  often  enouah  to  .issure  their  elimination. 

dons  iderab  to  dosian  and  test  t'xperience  for  such  analoii"*  and  diaital'’’*’  fly-by-wire  fliaht 
control  systems  has  been  obtained.  Piaure  S  illustiates  a  repi esent at i ve  advance. i  fliaht 
control  system,  the  .liaital  fly-by-wire  system  iievelope.1  aiut  teste.t  by  NASA  on  an  K-8 
aircraft.  Typical  elemi'iits  of  such  a  system  include  sensor  mo.lules  to  .ieterniine  the  air¬ 
craft  stati'  and  t'rrors  from  a  desire.i  path,  processina  elect  r.'nics  an.l  networks  to  aeneiate 
the  necessary  control  conmiaiu'.s ,  an.i  actuators  to  drive  the  aircraft  control  surfaces. 
Reliability  characteristics  for  each  of  these  el.'ments  an.l  f.ir  th.'  tot.il  system  must  be 
consi.iere.l  to  assure  a.ie.]uate  fliaht  control  intearity. 

Sensors 

Accelerometei  s  ,  .iyros,  an.i  .1  i  f  ferent  i  a  1  transformers  are  the  mi’st  commonly  use.!  sensors 
in  .lutom.itic  f  1  i.|ht -cont  rol  systems.  Siniv  set  v.^nul  le.1  linear  .icce  leri‘'met  e  rs  an.l  linear 
variable  .1  i  f  ferent  ia  1  transformers  have  well-established  recot.is  for  reliability  and  ar.' 
likely  to  continue  to  be  used  in  h  i  ah  1  y- re  1  iab  1  e  fli.iht  control  .ippl  i.'at  ions  in  t  h.'  future, 
the  .ire.itest  improvements  in  sensor  reli.ibility  will  probably  b.'  ma.le  in  .inaular  r.ite 
sensors.  Spin  motor  and  bearina  failures  account  for  most  rate  avro  failures;  it  is 
th.'iefore  likely  that  future  hiahly  reliable  .'ontrol  systems  will  filature  anaulat  rate 
sensors  which  .to  not  employ  these  components.  Rin.r  laser  .ryn^s  .in.l  m.i.tnetohy.ir  ('.iyn.imi .' 
rate  sensors  are  currently  bein.i  .lesi.rne.i  to  alleviate  this  prul'lem.  These  sensors 
achieve  hiah  reliability  by  minimizina  many  of  the  w.'arout  mii.t.'s  cause.!  by  nu'vina 
mech.inic.il  p.irts. 

Iliaher  reliability  can  .ilso  be  .ichieve.i  by  applyin.)  sk.'we.l  s.'us.'i  t  I'.-hn  i  .pu'S  t .'  re.iuce 
the  number  of  rate  .iyros  re.iuire.l  in  a  .jiven  fliaht  contr.'l  system.  In  .i.i.iiti.'ii  t  .■> 
increasin.i  re  1  i  .it' i  I  i  t  y  by  re.tucin.i  t  h.'  number  .’f  parts  wh^.'h  .-an  fail,  the  skewe.l  sensor 
■ippro.ich  results  in  savin.is  of  wei.iht,  p.-iwer,  .in.l  volum.’. 

■Another  appro.ich  uses  analytic  re.iun.iancy  inste.i.i  .-.f  r.'.iun.iant  s.-nsor  har.tware.  This  is 

acc.imp  1  i siu'.l  l.y  exploit  in.i  the  kn.'wle.iae  .ib.'ut  the  .lir.'iaft  .iynamics  an.l  couplin.i  of  the 
.lircr.ift  St  .It  e-v.'ctor  .•.imp.’nent  s  f.ir  the  impl  emen  t  .it  i  .''n  of  .'bs.'rv.'i  filters  whi.'h  pr.’vi.l.' 
a.l.i  i  t  ion.i  1  inform.it  ion  ab.-nit  I  h.'  aircraft  st.ite.  t'y  use  ot  t  ht-  observ.'r  sianals,  tailure 
.letection  .in.l  votina  .'.in  be  .'.isily  .i.-hieve.l  an.f  t  lie  numt'ei  of  s.'ns.'i  .levi.'es  .-.in  be 
re.iuce. 1  without  re.tucin.i  r.' 1  i.ib  i  1  i  t  y  . 

KJect  ron  i.'s 

rtit  en  i  t  .iX  r.' 1  i  .lb  i  1  i  t  y  pr.ibl.'ms  c.iusi'.l  by  .h't  .'.'t  i\*t'  1  .'.’t  rr.!!  i .'  .'.■'mp..iU'nt  s  .'an  b.'  minimiz...! 

by  in.'orporat  in.l  .'ompon.'nt  re.hirul.uu'y  into  the  .lesi.in  pr.'.'i'ss.  .Si.me  .Ir.iwb.i.'ks  t t  h.' 

.'.impoiu'tit  re.lun.l.incy  mt'tlu..!  slunil.t  be  biirne  in  min.t,  h.'.wt.v.'r.  The  nv'St  .'.bvi.'us  .litti- 
culties  .ire  .lui>  to  t  h.'  in.-re.is.'  in  (i.u  t  s  .'.Mint  inlu'r.’nt  in  this  .ippr.'.u'h.  A.l.i  i  t  i  .■'ii.i  1 
p.irts  rt'sult  in  i lu'rt'.ist'.l  .siz.',  w.'i.iht  ,  .'..st  ,  pow.'i  .'..nsumpt  i.'ii  .in.l  p.'W.m  li.ss.'-s,  .ill  .'t 
which  a.l.i  un.iesirabte  an.i  soim-t  iiiu's  unne.'essary  .'.'mp  1  i  .'.it  i  .'ns  t .'  1  h.'  t.'tal  .lesian  pr.'.-ess. 
Purt  hernu're  ,  siu'ct'.ss  t  u  1  I'xp  1  o  i  t  .it  i  I'li  of  the  .'I'mp.'nent -r.'.lun.l.in.'y  .ippr.'.i.'h  r.'.liiirt's  .i 
I'ert.iin  .iniount  of  .i  priori  i  n  f  .'rm.it  i.'ii  ab.'ut  t  h.'  f.iilur.'  iiux'h.mism  whi.-h  is  t .'  b.'  .-limin- 
ate.i.  Por  .'xample,  .'lie  w.'ul.l  pti'b.ibly  .ipply  .i  p.ir.ill.'I  .irr. in. lenient  of  r.'.iun.l.int  .-.'mp.'n.'nl  s 
if  t  In'  m.'St  lik.'ly  tailure  wen'  an  .'pen  .'ircuit,  whil.'  sh.'it  cii.'uils  .in'  b.'tt.'i  a.'c.'unt  .'.1 
fill  by  .1  r  r  iin.i  i  ini  .'omp.'n.'iit  s  in  s.'iii'S.  A  n'l.it  iv.'ly  .'.'iiipl.'X  .i  r  r.in.i.'men  t  <'t  i  .'.hin.l.in  t 
.'oniponi'ii  t  .s  is  r.'.piiit'.i  to  pr.'t.'.’t  .i.i.iinst  .ill  p.'ssibl.'  .'.'mb  i  n.i  t  i  .'iis  .'t  .'.'iiip.'n.'nt  t.iilun's. 
Pi. Hire  ('  i  1  1  list  rat  .'s  the  probt.'m  t.i.'in.i  the  .tesi.in.'i  wtu'ii  h.'  uses  re.iun.iancy  t .'  pr.'t  .'.-t 
.i.i.iinst  I'omp.'iu'nt  t.ii  lures  in  ei'e'ii  .i  .siniplt'  .ipp  1  i  .'.it  i  t'li .  Ki'li.ibl.'  i  n  t  t'rm.it  i.'ii  .ib.'ut 
pr.'bable  f.iiliire  mo.les  is  .lifti.'iilt  enou.ih  t .'  .'bt.iin  .ifter  .i  failuii'  has  .'ccurre.l:  it  is 
th.it  much  mot.'  .lifticult  to  .i.'iu'i  .me  su.'h  in  f. 'im.it  ion  in  .in  .i  t'liori  tashi.'ii  .iurin.i  t  h.' 
.i.'sian  sta.ie. 

Tin-  problems  .issoc  i  .it  >-.1  with  .h'finin.i  .i  pri.'ii  t  h.'  m.'st  lik.'ly  .'.'mv'.'ii.'nt  l.iilur.'  m.'.i.'S 
.'.in  b.'  .' 1  i  m  i  n.it  .'.1  by  .ipplyin.i  t  h.'  r.'.lun.l.in.'y  iiu't  h.'.l  .'ii  .i  syst.'m  l.'i'.'l  in  whi.'h  .iny 
f.iilur.'  in  .i  prim.*  syst.'m  i.'.sults  .luti'm.it  i.'.illy  in  .i  shut -.l.'wn  .'t  t  h.'  prim.'  syst.'iii  .in.l 
.1  s  i  mu  1 1  .in.'ou.s  sw  i  t  I'h  t .'  t  h.'  t  irst  .'t  .'ii.'  .'r  m.'i.'  b.i.'k-iip  syst.'ms.  bubsyst.'m  i  .'.lun.l.in.  i 
ent.iils  till'  s.im.'  t  un.l.im.'iit  .i  1  r.'st  i  i.'t  ions  .is  I'.'mp.'n.'tit  r.'.lun.l.in.'y  ( i  n.'i  .'.i.s.'.l  si.'.',  w.'i.iht  , 
cost)  but,  .IS  .lisciissi'.l  .'.irli.'r,  l.'.i.ls  t .'  an  enormous  incn'.ise  in  syst.'m  ci'niplexily 


and  sophistication.  In  addition  to  providing  in  the  backup  system  or  systems  all 
the  functional  capabilities  of  the  prime  system,  it  is  also  necessary  to  incorporate  some 
means  for  detecting  prime  system  failures  in  real-time  and  for  switching  from  prime  to 
back-up  systems.  Currently  research  is  being  sponsored  at  several  places  to  develop  the 
technology  of  fault-tolerant  computer  systems  for  application  where  extremely  high 
reliability  is  required,  with  both  hardware  and  software  methods  being  investigated.^'^® 

The  fault-tolerant  computer  used  in  future  flight-control  applications  will  be  capable  of 
detecting  computer-system  errors.  It  will  further  be  able  to  assess  the  error  and  take 
corrective  action  as  appropriate.  For  example,  the  highly-rel iable  computer  will  be 
capable  of  altering  its  internal  processing  procedures  through  reconfiguration  to  bypass 
the  fault  which  has  been  detected.  The  application  of  such  fault-tolerant  techniques 
will  eventually  allow  the  power  of  real-time  computer  processing  to  be  applied  even  in 
flight-critical  applications. 

Actuators 

Hydraul ic  actuators  are  used  extensively  in  highly  reliable  flight-control  systems  and 
reliability  is  achieved  through  the  application  of  advanced  technology  at  both  the  compon¬ 
ent  and  the  system  level.  On  the  component  level,  improvements  which  continue  to  be  made 
in  hydraulic  fluids,  tube  connectors,  tube  materials,  seals,  and  filtration  techniques 
will  ultimately  result  in  enhanced  reliability  for  the  entire  flight  control  system.  New 
system-level  technology  under  consideration  includes  high-pressure  fluid-distribution 
systems  to  achieve  substantial  reductions  in  space  and  weight  with  improved  maintainability 
and  reliability.  Integrated  actuators,  capable  of  positioning  the  control  surface  directly 
from  an  electrical  command,  will  likely  be  a  part  of  future  highly  reliable  control  systems. 

Reliability  in  actuator  systems  is  often  achieved  by  the  application  of  various  redundancy 
methods.  The  multicylinder  hydraulic  actuator  is  in  widespread  use  and  is  found  in  a 
large  number  of  configurations.  Dual  and  triple  designs  o'  tandem  cylinders  have  been 
built,  as  have  multiple  single  cylinders,  to  achieve  enhanced  reliability.  Combinations 
of  independent  control  surfaces  operated  by  individual  actuators  are  also  used  to  further 
improve  control  system  reliability . H  For  the  purpose  of  enchanced  failure  detection  in 
redundant  actuators,  digital  or  incremental  technology  can  be  applied  to  the  electro- 
hydraulic  part  of  such  systems. 


SOFTWARE  IMPLICATIONS 

The  importance  of  software  reliability  is  often  underestimated  when  the  question  of 
overall  system  reliability  is  considered.  It  is  assumed  that  software  errors  are  found 
during  debugging  and  testing  and  that  the  probability  that  a  hardware  component  or  sub¬ 
system  will  fail  represents  the  essence  of  the  system  reliability  concept.  Unfortunately, 
errors  in  the  assembly  of  software  code  are  as  likely  to  escape  "final  check-out"  as  the 
design  and  fabrication  shortcomings  which  eventually  lead  to  hardware  failures. 

Figure  7  indicates  the  evolution  of  computer  hardware  and  software  costs.  Note  that  the 
ratio  of  software  costs  to  total  system  costs  is  growing  rapidly.  This  reflects  in  part 
recent  and  projected  decreases  in  the  cost  of  computer  hardware,  but  the  trend  is  also 
due  to  the  growing  size  and  complexity  of  modern  software  operating  systems.  It  is  to 
be  expected  that  this  increase  in  software  sophistication  will  be  accompanied  by  a 
corresponding  increase  in  systems-reliability  problems  associated  with  software  errors. 

The  relative  importance  of  software  reliability  becomes  clearer  when  one  realizes  that, 
in  current  electronic  flight  control  systems,  software  costs  exceed  computer  hardware 
costs  by  a  factor  of  three  to  four  and  that  the  largest  effort  in  developing  software  is 
due  to  the  testing,  correction,  retesting,  release,  recall,  correction,  and  re-release 
of  software.^'*  The  task  of  developing  the  original  code  is  quite  small  in  comparison. 
Figure  8  represents  the  estimated  and  actual  costs  of  developing  software  for  a  represen¬ 
tative  system. 15  This  figure  illustrates  that  software  costs  are  often  unanticipated,  or 
at  best  underestimated,  and  that  considerable  effort  is  routinely  expended  in  the  post¬ 
production  stage  of  system  development  to  correct  software-related  errors. 

The  magnitude  of  this  problem  can  be  further  appreciated  when  one  realizes  that,  while 
the  hardware  designer  has  at  his  disposal  a  wide  range  of  design  methodologies  and  alter¬ 
natives  to  use  in  optimizing  hardware  reliability,  the  software  designer  does  not. 
Historically  his  objective  has  been  limited  to  developing  coding  to  the  point  that  it 
"works";  that  is,  to  the  point  that  the  software  program  consistently  produces  expected 
results  from  a  set  of  known  inputs. 

When  the  concept  of  hardware  reliability  was  originally  conceived,  hardware-systems 
engineering  was  a  well-developed  field.  By  contrast,  the  problem  facing  software 
designers  is  that  coding  is  fundamentally  an  art  form,  with  no  generalized  methodology 
available  for  guidance  in  the  development  of  software. 

.structured  programming  techniques^®  and  standardized  higher-order  languages'^  do  offer 
some  promise  of  segmenting  and  simplifying  future  software  generation.  Compiler  writing 
systems,  first  developed  by  DOD  and  now  being  extended  by  NA.SA,  can  further  aid  this 
process  by  automatically  translating  programs  written  in  a  higher  order  language  into 
machine  language  for  a  candidate  flight  computer.  Used  with  software-reference  libraries, 
which  assemble  commonly-used  software  algorithms  such  as  quadratic  filters,  and  with 
built-in  validation  and  verification  programs,  these  compiler  writing  systems  can  sig¬ 
nificantly  decrease  the  cost  of  the  many  iterations  and  changes  inherent  in  the  design 
of  flight  control  systems. 
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Other  software  reliability-assurance  systems,^®  under  development  by  NASA,  will  be 
capable  of  detecting  and  assessing  errors  and  reconfiguring  the  operating  systems  in 
such  a  way  that  the  error  mechanism  which  has  been  detected  is  by-passed.  In  a  parallel 
effort,  a  number  of  reliability  assessment  methods  are  being  designed  to  provide  the 
design  engineer  with  a  yardstick  for  measuring  the  reliability  of  complex  computer 
systems.  An  example  of  such  an  effort  is  the  computer-aided  reliability  analysis  (CARE) 
program  developed  by  the  Langley  Research  Center.^®  This  program  calculates  the  relia¬ 
bility  of  a  given  fault-tolerant  system  model  and  is  currently  being  extended  to  include 
multiply-redundant,  highly-reliable  computer  configurations. 

While  efforts  are  under  way  within  NASA,  as  well  as  in  industry  and  DOD,  to  develop  a 
consistent  software  design  methodology , ^0  progress  in  this  extremely  difficult  and 
complex  endeavor  is  necessarily  slow.  With  the  rapid  advances  now  being  witnessed  in 
the  technology  of  reliable,  solid-state  hardware,  it  is  becoming  increasingly  likely  that 
future  systems  reliability  will  be  paced  more  and  more  by  developments  in  software 
engineering  or  that  much  future  software  will  be  replaced  by  hard-wired  equivalents  or 
firmware. 


LIGHTNING  CONSIDERATIONS 

Flight  control  systems  must  operate  in  an  environment  in  which  severe  electrical  transients 
caused  by  lightning  strikes  are  likely,  if  not  certain,  to  occur.  Lightning  strikes  on 
representative  transport  aircraft  have  occurred  about  once  per  2500  flight  hours. 21  it 
is  important  that  the  designer  understand  the  lightning  threat  and  allow  for  it  in  the 
design  of  avionics  and  flight  control  systems. 

As  illustrated  in  Figure  9,  a  typical  lightning  flash  always  involves  an  entry  point  and 
an  exit  point  on  the  aircraft. 22  Usually  these  points  are  extremeties  on  the  aircraft, 
such  as  the  nose  and  wing  tip.  Each  lightning  flash  is  composed  of  a  number  of  high 
current  strokes,  with  peak  currents  ranging  from  30,000  amperes  for  a  moderate  stroke  to 
around  200,000  amperes  for  a  severe  stroke.  The  total  lightning  event  may  last  from  0.1 
to  1  second,  with  continuous  currents  on  the  order  of  several  hundred  amperes  between 
strokes . 

Lightning  current  flowing  through  the  structural  resistance  of  the  aircraft  produces  a 
voltage  which  can  be  thought  of  loosely  as  an  IR  drop  across  the  structure.  Circuits 
with  multiple  connections  to  the  aircraft  structure  will  have  this  voltage  developed 
across  the  corresponding  terminals.  Such  IR  effects  can  be  countered  by  employing  a 
single  point  ground  to  the  aircraft  frame  or  by  using  differential  wiring  in  which  wires 
are  provided  for  signal  and  power  return  paths  instead  of  the  aircraft  frame. 

Some  insight  into  the  severity  of  the  lightning  problem  can  be  gained  by  reviewing  the 
results  of  electrical  transient  tests  conducted  in  1973  on  the  NASA  F-8  Digital  Fly-by- 
Wire  (DFBW)  aircraft. 

In  these  tests,  simulated  lightning  strikes  at  a  non-destructive  level  of  300  amperes 
were  applied  to  an  early  configuration  of  the  DFBW  aircraft  while  voltage  and  current 
measurements  were  made  in  various  circuits.  Results  of  measurements  at  this  level  were 
then  scaled  up  by  assuming  a  lightning  current  of  30,000  amperes.  Voltages  (for  a 
30,000  ampere  strike)  in  the  range  of  60  to  120  volts  were  determined  in  the  Apollo 
guidance  computer  with  levels  on  the  order  of  200  volts  for  the  power  busses.  Currents 
measured  in  the  wire  bundles  located  in  the  left  gun  bay  indicated  that  up  to  180  amperes 
peak-to-peak  would  be  induced  by  a  30,000  ampere  strike.  Figure  10  illustrates  the 
resultant  distribution  of  current  amplitudes  in  the  cable  bundles.  These  levels,  if  not 
protected  against,  would  exceed  the  typical  10  ampere  peak  current  specified  for  elec¬ 
tronic  flight  control  systems. 

The  designer  basically  has  two  options  for  incorporating  lightning  resistance  into  his 
design.  He  can  attempt  to  insure  that  all  sensitive  circuits  are  contained  within  a 
transient-free  environment  or  he  can  specifically  design  the  system  to  accept  transients 
at  all  terminals. 

The  first  approach  usually  employs  a  Faraday-Cage  grounded  chassis  construction,  with  the 
input  power  carefully  filtered  and  all  wires  connecting  to  other  subsystems  thoroughly 
shielded.  The  details  of  the  second  approach  depend  on  the  specifics  of  the  system 
being  designed,  but  certain  general  practices  include  coupling  transformers  to  protect 
sensitive  circuits  from  common-mode  surges,  balanced  transmission  lines  and  grounded 
shields  on  all  transmission  cables,  and  voltage  clamps  on  signal  leads. 


FAILURE  DETECTION  METHODS 

Failure  detection  is  one  of  the  keys  to  high  system  reliability.  Generally,  failures  are 
detected  at  the  component  level  prior  to  fabrication,  or  at  the  system  level  after  fab¬ 
rication.  Both  failure  detection  methods  will  be  considered  briefly  in  this  section. 

Component  Failures 

Since  the  cost  of  detecting  faults  on  the  component  level  is  1/3  the  cost  of  detecting 
failures  at  the  system  level, 23  the  importance  of  component  failure  detection  cannot  be 
overemphasized.  The  purpose  of  component  testing  is  of  course,  to  screen  out  faulty 
components  in  the  beginning  and  to  gain  some  insight  as  to  how  the  performance  of  a  good 
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be  iiiflueuoo^l  by  the  control  system.  That  means,  comparison  testing  of  the  output  signals 
of  redundant  sensor  units  is  necessary. 

Where  the  degree  of  redundancy  is  not  sufficient  to  permit  voting,  the  designer  may  employ 
various  real-time  movleling  technigues,  as  already  mentioned  earlier.  These  techniques 
may  also  us<‘  the  fact  that  outputs  from  independent  sensors  are  compared.  For  example, 
the  output  of  an  acce  le  romet  e  r  displaced  from  tht“  aircraft  center  of  gravity  may  be  ustni 
to  v'tu’ck  t  hi’  output  of  a  r.ile  gyro. 

For  systems  in  which  signals  may  be  present  in  a  given  element  for  only  short  periods  of 
time,  si'parati’d  by  lonij,  ipiiesi'i’nt  peiioiis,  active  failure  detection  c.in  be  readily 
applied.  The  -e 1 f - t es t i ng  can  be  accomplished  through  stimulated  monitoring.  In  stimu¬ 
lated  monitoring,  a  small  tiacer  signal,  generally  with  zero  mean  value,  is  passed 
through  the  system  .ind  the  output.  The  stimulus  is  always  selected  to  have  negligible 
effect  on  systiun  performance. 

One  of  the  simplest  self-testing  methods  available  is  the  fixed-model  method,  in  which 
comp.irisons  are  m.ide  to  ensure  th.it  the  control  system's  signals  or  certain  carrier 
ch.u  act  i' r  ist  ics  (i.e.  pulse  frequency  and  shaping)  agree  with  expected  ones  within 
piescribevi  limits  foi  a  .liven  set  ot  conditions.  This  method  can  be  implemented 
either  in  (lar.iw.ire  or  in  software.  Fxamples  include  parity  chectis  and  memory-sum 
checks.  Ttiese  met  tiods  can  be  either  p.issive  or  active. 

For  systi’iiis  involving  communication  with  one  or  more  asynchronous  peripherals,  the 
"handshake"  metluid  is  often  used.  Handshake  commun icat ion  methods  require  that  the 
receiver  .letu’t.ites  .1  "ready"  sign.i!  before  the  sender  will  pass  signals.  Keceived 
si.in.ils  are  then  compute.!  with  tr.insmitted  signals  to  insure  that  they  are  identical. 

If  they  are  not,  ad.iition.il  transmission  may  be  attempte.i,  until  there  is  .1  match. 

Pr.icessoi  timin.i  can  be  use.!  in  a  very  simple  self-test  metiio.i  to  test  for  softw.are 
errors.  In  .1  properly  functionin.i  progt.im  a  clock  witiiin  t  tie  processor  is  reset  .it 
regular  intetv.ils.  An  early  or  Kite  teset  is  interprete.l  as  evidence  of  some  difficulty. 

For  .U.iital  control  systems  with  a  finite  an.l  known  set  of  .ligital  output  patterns,  self¬ 
test  circuits  can  be  used  to  .ietect  errors.  An  error  si.jn.al  is  .tener.tte.l  whenever  the 
output  .liffers  from  the  known  set  of  "good"  co.le  works. 

We  h.ive  briefly  touche.l  on  .1  few  of  the  more  common  self-testing  metho.ls  applic.able  to 
flight  control  systems  which  the  .lesigner  has  at  liis  .iisposal.  Constraints  imposed  by  the 
.letails  of  t  tie  system  being  .iesi.me.l  ilict.ate  to  .1  .jre.at  extent  which  self-test  method,  if 
■iny,  m.ikes  the  most  sense.  Clearly,  se  1  f- test  ing ,  when  used  in  conjunction  with  other 
methods  outlined  in  this  paper,  has  the  potential  for  sharply  increasing  the  reliability 
of  flight  control  systems. 


FHTURF  TRKNP.'t 

The  number  of  f 1 ight -cr i t ica 1  functions,  such  as  automatic  landing  and  active  control, 
now  performed  by  modern  flight  control  systems  are  expected  to  continue  to  increase  in 
the  future.  .As  we  move  into  the  era  of  integrated  control,  flight  control  is  rapidly 
becoming  .an  evpi.il  partner  with  aerodyn.im.ics ,  propulsion  .and  structures  in  the  aircraft 
design  process. This  integrated  view  of  airframe,  propulsion  and  subsystem  control 
functions  and  mechanizations,  illustrated  in  Figure  13,  will  be  a  principal  driver  in  the 
efficiency  and  economics  of  future  aircraft.  Major  improvements  in  aircraft  performance 
and  reductions  in  aircraft  weight  appear  possible  through  combinations  of  currently- 
independent  aircraft  functions  such  as  active  airframe  control,  propulsion  control, 
landing  loads  control,  and  fuel  management.  For  example,  the  integration  of  active  landing 
gear  and  maneuver  load  control  systems  can  appreciably  decrease  wing  structural  stiffness 
requirements  and  weight.  Similarly,  automatic  reconfiguration  of  control  system  gains 
in  the  event  of  an  engine  failure  can  allow  sizeable  reductions  in  required  control 
surface  .ireas.  Fxtensions  of  this  appro.ach  to  fully-integrated,  control-configured 
aircraft  could  provide  up  to  15<i  fuel  savings  and  structural  weight  reductions. 

In  addition,  integrated  control  will  permit  the  evolution  of  a  distributed  control 
architecture  which  utilizes  a  redundant  data  bus  and  standard  microprocessor  modules 
to  implement  all  aircraft  control  functions.  Such  standard  programmable  modules  would 
have  built-in  fault  tolerance,  multifunctional  capabilitv'.  and  standard  interfaces  to 
yield  significantly  fewer  control  system  elements  and  lower  system  costs.  For  example, 

.appl  ic.it  ion  of  this  design  approach  to  .1  11-737  transport  could  reduce  the  number  of 

stand.ird  boxes  from  the  64  now  used  to  20  standard  modules  with  .ittendant  weight  savings 

of  about  1000  lbs.  Potential  gains  in  reliability  could  be  even  more  important.  Prelim- 

in.iry  an.ilyses  in.lic.ite  th.it  integr.iteil  control  configurations  could  be  implemented  with 
twice  the  reliability,  half  the  m.iintenance  cost,  .ind  one-third  the  equipment  used  in 
present  flight  control  systems.  Projected  component  advances  will  further  incre.ise 
flight  control  system  performance  and  integrity.  Examples  of  these  include  solid-state 
or  ring  laser  rate  gyros,  very  high-density  integr.ited  circuits  and  mult  i-l.iyered 
p.ick.iging  techniques,  fiber  optics  d.it.i  links  with  their  inherent  potential  for  lightning 
survi  v.ibi  1  i  ty ,  .ind  light-weight  elect  rohydr.iul  ic  actuators.  With  the  flexibility 
afforded  by  digit.il  electronics  .ind  fly-by-wire  systems,  future  flight  control  design 
could  be  significantly  simplified  and  specific  systems  could  be  readily  mechanized 
through  the  assembly  of  proven  sensor,  processor,  and  actuator  modules  using  the  latest 
technology. 


coNcmniNC  rkmarks 


Flight  control  systems  toilay  stand  at  the  threshold  of  a  new  aqe  -  in  terms  of  both 
utilization  and  mechanization.  The  first  steps,  fly-by-wire  and  active  control,  have 
already  been  taken  in  operational  military  aircraft  and  are  beina  desianed  into  the  civil 
transports  now  on  the  drawina  boards.  Heyond  that,  the  revolution  in  microelectronics  and 
related  technoloaies  offers  the  promise  of  total ly-int earated  control  functions  and  simpli¬ 
fied  system  conf iaurat ions  which  take  maximum  advantage  of  standardized  modules  to  increase 
reliability  while  reducina  systems  development  and  maintenance  costs. 

The  integrity  of  flight  control  has  been,  and  will  continue  to  be,  the  key  factor  in  the 
acceptance  of  these  concepts  for  operational  application.  While  considerable  progress 
has  been  made  in  this  art>a,  major  additional  gains  in  r 'liable  design  approaches  and 
implementations  are  essential  if  flight  control  systems  are  to  reap  their  full  benefits 
during  the  next  decade. 
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Fig.2  Effect  of  redundancy  on  control  complexity 
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